Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jul 26, 2016.

  1. BobbyWibowo

    BobbyWibowo Active Member

    178
    39
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +62
    Local Time:
    9:09 PM
    1.17.x
    10.1.x
    What is going on in here?
    Code:
    # ./acmetool.sh certonly-issue fiery.me
    
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://centminmod.com/acmetool
    -------------------------------------------------
    
    continue [y/n] ? y
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    Cloning into 'acme.sh'...
    [Tue Apr  3 20:17:59 UTC 2018] It is recommended to install socat first.
    [Tue Apr  3 20:17:59 UTC 2018] We use socat for standalone server if you use standalone mode.
    [Tue Apr  3 20:17:59 UTC 2018] If you don't use standalone mode, just ignore this warning.
    [Tue Apr  3 20:17:59 UTC 2018] Installing to /root/.acme.sh
    [Tue Apr  3 20:17:59 UTC 2018] Installed to /root/.acme.sh/acme.sh
    [Tue Apr  3 20:17:59 UTC 2018] Installing alias to '/root/.bashrc'
    [Tue Apr  3 20:17:59 UTC 2018] OK, Close and reopen your terminal to start using acme.sh
    [Tue Apr  3 20:17:59 UTC 2018] Installing alias to '/root/.cshrc'
    [Tue Apr  3 20:17:59 UTC 2018] Installing alias to '/root/.tcshrc'
    [Tue Apr  3 20:17:59 UTC 2018] Installing cron job
    10 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Tue Apr  3 20:17:59 UTC 2018] Good, bash is found, so change the shebang to use bash as preferred.
    [Tue Apr  3 20:17:59 UTC 2018] OK
    https://github.com/Neilpang/acme.sh
    v2.7.8
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    
    -----------------------------------------------------------
    [DNS mode] issue & install letsencrypt ssl certificate for fiery.me
    -----------------------------------------------------------
    testcert value =
    /root/.acme.sh/acme.sh --staging --issue --force --dns dns_cf -d fiery.me -d www.fiery.me -k 2048 --useragent centminmod-centos7-acmesh-dns --log /root/centminlogs/acmetool.sh-debug-log-030418-201751.log --log-level 2
    [Tue Apr  3 20:17:59 UTC 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
    [Tue Apr  3 20:18:00 UTC 2018] Multi domain='DNS:fiery.me,DNS:www.fiery.me'
    [Tue Apr  3 20:18:00 UTC 2018] Getting domain auth token for each domain
    [Tue Apr  3 20:18:00 UTC 2018] Getting webroot for domain='fiery.me'
    [Tue Apr  3 20:18:00 UTC 2018] Getting new-authz for domain='fiery.me'
    [Tue Apr  3 20:18:02 UTC 2018] The new-authz request is ok.
    [Tue Apr  3 20:18:02 UTC 2018] Getting webroot for domain='www.fiery.me'
    [Tue Apr  3 20:18:02 UTC 2018] Getting new-authz for domain='www.fiery.me'
    [Tue Apr  3 20:18:03 UTC 2018] The new-authz request is ok.
    [Tue Apr  3 20:18:03 UTC 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
    [Tue Apr  3 20:18:03 UTC 2018] You didn't specify a cloudflare api key and email yet.
    [Tue Apr  3 20:18:03 UTC 2018] Please create the key and try again.
    [Tue Apr  3 20:18:03 UTC 2018] Error add txt for domain:_acme-challenge.fiery.me
    [Tue Apr  3 20:18:03 UTC 2018] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-030418-201751.log
    
    ---------------------------------
     DNS mode via Cloudflare DNS API
    ---------------------------------
     setup TXT DNS record via Cloudflare API
    
    It says these:
    Code:
    [Tue Apr  3 20:18:03 UTC 2018] You didn't specify a cloudflare api key and email yet.
    [Tue Apr  3 20:18:03 UTC 2018] Please create the key and try again.
    
    but I got both CF_KEY and CF_EMAIL filled in /etc/centminmod/acmetool-config.ini :confused:
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    how did you edit and populate /etc/centminmod/acmetool-config.ini ? using linux nano/vim text editors or on windows pc and text editor and uploaded to server via ftp ?

    if you did the latter code be the text file format being non unix

    what happens if you type command
    Code (Text):
    dos2unix /etc/centminmod/acmetool-config.ini
    

    to convert the text file to right format then try
     
    • Informative Informative x 1
  3. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    @BobbyWibowo also you run for staging test ssl cert not live as missing ending live flag
    example run for test staging SSL cert
    Code (Text):
    ./acmetool.sh certonly-issue acme9.domain1.com
    

    example run for live real SSL cert
    Code (Text):
    ./acmetool.sh certonly-issue acme9.domain1.com live
    
     
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x

    acmetool.sh 1.0.38



    Updated to add checkdomain option to check IPv4 and IPv6 domain DNS verification and curl checks. Use for troubleshooting if your domain DNS is correctly setup.

    Example output for IPv4 DNS A record only domain with IPv6 disabled.
    Code (Text):
    addons/acmetool.sh checkdomains
    
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://centminmod.com/acmetool
    -------------------------------------------------
    
    continue [y/n] ? y
    ----------------------------------------------
    check domain DNS
    ----------------------------------------------
    --------------------------------------------------------------------
    Checking:    mysqlmymon.com
    A record:    209.141.56.102
    AAAA record: not found
    
    curl -4Ivs https://mysqlmymon.com 2>&1 | egrep 'Connected to|SSL connection using|subject:|start date:|expire date:'
    Connected to mysqlmymon.com (209.141.56.102) port 443 (#0)
    SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    subject: CN=mysqlmymon.com
    start date: Mar 02 23:01:08 2018 GMT
    expire date: May 31 23:01:08 2018 GMT
    --------------------------------------------------------------------
     
    • Like Like x 2
  5. sepulchre

    sepulchre Member

    145
    22
    18
    Dec 22, 2014
    Ratings:
    +26
    Local Time:
    4:09 PM
    I am on http right now and because of GDPR I want to switch to https.

    From what I understand, using the ACME tool will make my site https with an free SSL certificate, is this correct?

    And just in case, before I try it, is there anything I have to backup to be sure, so if I fuk it up, I can go back to it? Is this working with php 7.2?
     
  6. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    PHP has nothing to do with HTTPS.

    For existing sites to be safe i'd use method 3 outlined and linked at SSL - Centmin Mod Nginx + SPDY & HTTP/2 SSL Setup Guide and also mentioned in 1st post of this thread for link at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates

    But yes backing up your Nginx vhosts before hand would be good idea at /usr/local/nginx/conf/conf.d as outlined at Centmin Mod Configuration Files - CentminMod.com LEMP Nginx web stack for CentOS
     
    • Like Like x 1
  7. sepulchre

    sepulchre Member

    145
    22
    18
    Dec 22, 2014
    Ratings:
    +26
    Local Time:
    4:09 PM
    @eva2000
    I must say it was almost straightforward, nothing to be feared from.
    My https works now, thank you.

    One little thing though.
    Step 9 tells us to do
    Code:
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    to force HTTPS as default, which I did. Then I did "nprestart". But still when I visit my site using
    Code:
    domain.com or www.domain.com
    I see the default Centmin Mod Nginx Test Page. Only when I type
    Code:
    https://domain.com
    it works like expected.
    Are there any caches involved? Do I have to wait a little longer for the DNS to renew itself?
     
  8. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Are the host.domain.com and HTTPS enabled site also on same top level domain.com ? did you enable HSTS with include subdomain too ? if you did then you're telling browsers to force HTTP to HTTPS redirected connections for domain.com and any *.domain.com subdomain as well

    see Enabling HSTS for SSL for specifics
    As accessing host.domain.com is usually reserved for stats and admin pages the Centmin Mod LEMP stack owner only needs to access, you can just clear your web browser's HSTS record for the domain.com and host.domain.com so the web browser no longer redirects from HTTP to HTTPS. I posted a thread at SSL - How to clear HSTS browser cache | Centmin Mod Community specifically for this :)unfortunately
     
    • Like Like x 1
  9. sepulchre

    sepulchre Member

    145
    22
    18
    Dec 22, 2014
    Ratings:
    +26
    Local Time:
    4:09 PM
    Yes to all of your questions. I don't have any subdomains, just the one top level, but still I included in the HSTS the subdomain, too, to be sure.

    I could but I don't expect visitors knowing how to clear HSTS records.

    I use Firefox :(.
     
  10. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Google for firefox clear HSTS. That is why i warn of HSTS dangers if enabled incorrectly
     
    • Like Like x 1
  11. sepulchre

    sepulchre Member

    145
    22
    18
    Dec 22, 2014
    Ratings:
    +26
    Local Time:
    4:09 PM
    Did I do sth. incorrectly? Should I remove the subdomain part as I don't have subdomains?
     
  12. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yup
     
  13. sepulchre

    sepulchre Member

    145
    22
    18
    Dec 22, 2014
    Ratings:
    +26
    Local Time:
    4:09 PM
    It didn't solve the issue.
    It seems that once you visit the page by using https, then after that domain.com redirects correctly to https.
    But a fresh browser with a first visit using domain.com, still lands on the http page (nginx test page) even though the conf file is disabled for http.
     
  14. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    ;)
     
  15. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    oh you mean http to https is not redirecting ?

    Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect is the correct way to set it up - pay attention to different way if you want redirect target being www version instead of non-www and vice versa and that the target version www or non-www is the only version listed in server_name for the 2nd/main server {} context.

    key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly :)

    You can test in SSH via curl to check headers for location field (where the redirect goes) using the following commands:
    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    
     
  16. sepulchre

    sepulchre Member

    145
    22
    18
    Dec 22, 2014
    Ratings:
    +26
    Local Time:
    4:09 PM
    Yeah, exactly.

    Still same problem.

    Here is my ssl-conf file:

    I want https only and non-www only.
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
       server_name www.mydomain.com;
        return 301 https://mydomain.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name mydomain.com;
     
      ##  redirect https www to https non-www
          if ($host = 'www.mydomain.com' ) {
             return 301 https://mydomain.com$request_uri;
          }
    
      ssl_dhparam /usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers     ... ... ...;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      add_header Strict-Transport-Security "max-age=31536000;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer; 
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mydomain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/mydomain.com/log/error.log;
    
      root /home/nginx/domains/mydomain.com/public;
    
    location / {
         index index.php index.html index.htm;
         try_files $uri $uri/ /index.php?$uri&$args;
    }
    
    
    
    location /install/data/ {
         internal;
    }
    
    location /install/templates/ {
         internal;
    }
    
    location /internal_data/ {
         internal;
    }
    
    location /library/ {
         internal;
    } 
    
    # xenforo 2 uncomment / remove hash from next 3 lines
    location /src/ {
         internal;
    }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      #include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    Code:
    [22:41][[email protected] ~]# curl -I http://mydomain.com
    HTTP/1.1 200 OK
    Date: Mon, 28 May 2018 22:46:32 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 4074
    Last-Modified: Thu, 08 Mar 2018 20:58:35 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "5aa1a3fb-fea"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes
    
    Code:
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 28 May 2018 22:47:47 GMT
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Location: https://mydomain.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
     
  17. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    change from
    Code (Text):
    server {
       server_name www.mydomain.com;
        return 301 https://mydomain.com$request_uri;
     }
    

    to
    Code (Text):
    server {
       server_name mydomain.com www.mydomain.com;
        return 301 https://mydomain.com$request_uri;
     }
    

    You're telling nginx both non-www and www non-https port 80 redirects to non-www https port 443
     
    • Winner Winner x 1
  18. sepulchre

    sepulchre Member

    145
    22
    18
    Dec 22, 2014
    Ratings:
    +26
    Local Time:
    4:09 PM
    Thank you very much, that solved the issue.

    The thing is I remember specificially removing this on purpose to have www directed to non-www in http.
    And your guide says that we should copy all redirects we have in our http version of conf file to the https version. So I did that. But it seems it was wrong to leave that part out. Sorry for the inconvenience.
     
    • Like Like x 1
  19. eva2000

    eva2000 Administrator Staff Member

    41,660
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,412
    Local Time:
    12:09 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Curious how many folks would like to see dual SSL certs (RSA/ECDSA) mode enabled by default for letsencrypt SSL integration in Centmin Mod 123.09beta01 ? The manual method is outlined at SSL - Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !. However, addons/acmetools.sh supports automated dual SSL cert issuance optionally outlined here when you use DUALCERTS='y' set in persistent config file /etc/centminmod/custom_config.inc along with LETSENCRYPT_DETECT='y'

    Code (Text):
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    


    Only issue is you're hit Letsencrypt rate limits for SSL certificate issuances sooner if you have alot of SSL certs.
     
  20. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    10:09 PM
    Mainline
    10.2
    Me :).
    I have all dual cert enabled for large sites I have.
     
    • Agree Agree x 1